English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Watch us on

Home→Descriptions→Trojan.Win32.Shutdowner.etd

Trojan.Win32.Shutdowner.etd

Detected	Aug 14 2010 00:49 GMT
Released	Aug 14 2010 15:37 GMT
Published	Mar 24 2011 10:33 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 39 078 bytes in size. It is written in C++.

Payload

Once launched, the Trojan uses the function "GetSystemDefaultLCID" to obtain the ID for the group of national settings that the operating system uses by default. If the value obtained corresponds with:

Russian (ru)
Uzbek (uz)
Ukrainian (uk)
Azeri (az)
Kyrgyz (ky)
Tatar (tt)
Belarusian (be)
Kazakh (kk)
Bashkir (ba)
Divehi (dv)
Yakut (sah)
Armenian (hy)

the Trojan ceases running. The original Trojan file will then be deleted.

Otherwise, the Trojan performs the following actions:

To ensure that its process is unique within the system, it creates a unique identifier:
```
Setup555
```
It encrypts the content of its original file, placing it in the file:
```
%USERPROFILE%\Local Settings\Application Data\
Windows Server\server.dat
```
The original Trojan file is then deleted.

It extracts the following files from its body:

%USERPROFILE%\Local Settings\Application Data\
Windows Server\admin.txt (2 bytes)

%USERPROFILE%\Local Settings\Application Data\
Windows Server\sphlp.dll

(2560 bytes; detected by Kaspersky Anti-Virus as "Trojan.Win32.Shutdowner.fhx")

It creates the following system registry key:

[HKLM\System\CurrentControlSet\Services\sr\Parameters]
"FirstRun" = "1"

It deletes the following system registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
SystemRestore]
"DisableSR"

It launches the Print Manager's "spooler" service. The Trojan uses this service's procedures to evade behavioral protection. By calling the API function "AddPrintProvidorA", the Trojan launches the code from the previously extracted library "sphlp.dll" in the context of the trusted process "spoolsv.exe".

The library "sphlp.dll" decrypts the content of the file:

%USERPROFILE%\Local Settings\Application Data\
Windows Server\server.dat

and injects the obtained code into the address space of the processes:

iexplore.exe
opera.exe
firefox.exe

The injected code enables it to track user statistics and search requests sent to the following search resources:

altavista.com
google.com
bing.com
yahoo.com

The collected information is saved to the following file:

%System%\hlp.dat

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

Terminate the "Spooler" print service.
Use Task Manager to terminate the process "spoolsv.exe".

Delete the following files:

%USERPROFILE%\Local Settings\Application Data\
Windows Server\server.dat
%USERPROFILE%\Local Settings\Application Data\
Windows Server\admin.txt 
%USERPROFILE%\Local Settings\Application Data\
Windows Server\sphlp.dll 
%System%\hlp.dat

Delete the following system registry key (see What is a system registry and how do I use it?):
```
[HKLM\System\CurrentControlSet\Services\sr\Parameters]
"FirstRun" = "1"
```
Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

Print

Share

Malicious programs

Trojans

Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.

Other versions

Trojan.Win32.Shutdowner.g

Trojan.Win32.Shutdowner.i

Aliases

Trojan.Win32.Shutdowner.etd (Kaspersky Lab) is also known as:

Trojan: Generic.dx!tpp (McAfee)
Mal/Generic-L (Sophos)
Trojan:Win32/Bamital.G (MS(OneCare))
Trojan.Hottrend.25 (DrWeb)
Win32/Bamital.DT trojan (Nod32)
Trojan.Agent.AQNE (BitDef7)
Trojan.Shutdowner.ABM (VirusBuster)
Trojan.Win32.Shutdowner (Ikarus)
Generic2_c.BMVG (AVG)
TR/Shutdowner.etd (AVIRA)
Trojan.Bamital (NAV)
W32/Suspicious_Gen2.BYFDZ (Norman)
Trojan.Win32.Generic.522A6A89 (Rising)
Trojan.Win32.Shutdowner.etd [AVP] (FSecure)
Trojan.Win32.Generic!BT (Sunbelt)
Trojan.Shutdowner!kU3SSoLQ1HU (VirusBusterBeta)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

securelist.com